(FNC-CA) Policy Based Routes
If FortiNAC system is running the FortiNAC-OS operating system (FNC-CAX), skip this step.
Configure policy-based routing. Policy-based routing ensures traffic is transmitted out the same interface it was received. This allows FortiNAC agents to communicate to FortiNAC through both the management (eth0) or VPN sub-interface depending on whether the endpoint is isolated or not.
Policy-based routing is configured on FortiNAC using the command: setupAdvancedRoute which is run from a FortiNAC CLI. This must be done for both Primary and Secondary Servers in High Availability Configurations. For details on policy-based routing and the script used for configuration, see Policy Based Routing in the Appendix.
Important: If High Availability is configured, execute the steps outlined in sections Isolation Interfaces and Policy Based Routes on the Secondary Server and make the same modifications. Otherwise, VPN will not work should a failover occur.
-
Login to the CLI as root of the FortiNAC server (Application Server if separate Control and Application Servers)
-
Run the script
Important: The following instructions presume the script has not yet been run. If script has been run previously and are modifying or adding an interface, see Appendix for instructions.
-
Type setupAdvancedRoute
-
Type I to install
-
Enter the gateway for each interface (eth0, eth1, etc) as prompted.
-
-
Once script completes, verify configuration. Type
ip rule show
There should now be a rule listed for each interface and sub-interface configured:
0: from all lookup local
10: from <eth0 IP address> lookup eth0
20: from <eth1 IP address> lookup eth1
30: from <eth1:1 IP address> lookup eth1:1
40: from <eth1:2 IP address> lookup eth1:2
32766: from all main
32767: from all default
Example:
>ip rule show
0: from all lookup local
10: from 10.200.20.20 lookup eth0
20: from 10.200.5.20 lookup eth1
30: from 10.200.5.21 lookup eth1:1
40: from 10.200.5.22 lookup eth1:2
32766: from all main
32767: from all default
-
Reboot appliance.